Skip to content
👤 Identity and Access Management Knowledge Base for Cloud Providers
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
.github/workflows Fix quote to respect linter. Feb 15, 2020

👤 Awesome Identity and Access Management

In a Standford class on Cloud computing overview, the software stack is presented as such:

This knowledge base cover the far right perimeter of the cloud stack. It is one of the pillar of the cloud ecosystem, bridging the users, the products and the business. The other pillar being billing & payments.



  • IAM definition - A framework of policies and technologies for ensuring that the proper people in an enterprise have the appropriate access to technology resources.
  • As a user, I want _____ - A meta-critic of account management, in which features expected by the business clash with real user needs, in the form of user stories written by a fictional project manager.
  • Things end users care about but programmers don't - In the same spirit as above, but broader: all the little things we overlook as developers but users really care about. In the top of that list lies account-centric features, diverse integration and import/export tools. I.e. all the enterprise customers needs to cover.



The whole authentication stack is based on cryptography primitives. This can't be overlooked.

Zero-trust Network

Zero trust network security operates under the principle “never trust, always verify.”.


Are you who you pretend to be?



  • An argument for passwordless - Passwords are not the be-all and end-all of user authentication. This article ties to tell you why.
  • WebAuthn guide - A very accessible guide to WebAuthn, a standard allowing servers to register and authenticate users using public key cryptography instead of a password, supported by all major browsers.

Security Key

  • Webauthn and security keys - Describe how authentication works with security keys, details the protocols, and how they articulates with WebAuthn. Key takeaway: There is no way to create a U2F key with webauthn however. (...) So complete the transition to webauthn of your login process first, then transition registration.
  • Getting started with security keys - A practical guide to stay safe online and prevent phishing with FIDO2, WebAuthn and security keys.
  • Solo - Open security key supporting FIDO2 & U2F over USB + NFC.
  • OpenSK - Open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.



TL;DR: don't. For details, see articles below.

Public-Key Infrastructure (PKI)

Certificate-based authentication.


JSON Web Token is a bearer's token.

OAuth2 & OpenID

OAuth 2.0 is an authorization framework. OpenID Connect (OIDC) is an authentication layer on top of it.

The old OpenID is dead; the new OpenID Connect is very much not-dead.


SAML 2.0 is a means to exchange authorization and authentication between services, like OAuth/OpenID protocols above.

Typical SAML identity prodiver is an insitution or a big corporation's internal SSO, while the typical OIDC/OAuth provider is a tech company that runs a data silo.


Now that we know you are you, are you allowed to perform what you want to do?

All things related to access control policies, from classic Access Control Lists to Role Based Access Control.


A clever curiosity to distribute and delegate authorization.

Secret Management

Architectures, software and hardware allowing the storage and usage of secrets to allow for authentication and authorization, while maintaining the chain of trust.

  • Secret at Scale at Netflix (slides) - Solution based on blind signatures.
  • High Availability in Google's Internal KMS (slides) - Not GCP's KMS, but the one at the core of their infrastructure.
  • vault - Secure, store and tightly control access to tokens, passwords, certificates, encryption keys.
  • sops - Encrypts the values of YAML and JSON files, not the keys.
  • gitleaks - Audit git repos for secrets.
  • Keywhiz - A system for managing and distributing secrets, which can fit well with a service oriented architecture (SOA).
  • roca - Python module to check for weak RSA moduli in various key formats.

Hardware Security Module (HSM)

HSMs are physical devices guaranteeing security of secret management at the hardware level.

Trust & Safety

Once you've got a significant user base, it is called a community. You'll then be responsible to protect it: the customer, people, the company, the business, and facilitate all interactions and transactions happening therein.

A critical intermediation component driven by a policy and constraint by local laws, likely embodied by a cross-functionnal team of 24/7 operators and systems of highly advanced moderation and administration tools. You can see it as an extention of customer support, specialized in edge-cases like manual identity checks, moderation of harmful content, stopping harrassments, handling of warrants and copyright claims, data sequestration and other credit card disputes.

User Identity

Most businessese do not collect customer's identity to create user profiles to sell to third party, no. But you still have to: local laws require to keep track of contract relationships under the large Know You Customer (KYC) banner.


Providing services, you're exposed to fraud, crime and abuses. You should never underestimate how much cleverer than you people will be when it comes to money. And expect any bug or discrpencies in your procedure to be exploited for financial gain.


The first mecanical line of defense against abuses consist in plain and simple black-listing. You'll be surprised how they still are effective.

Hostnames and Subdomains

Useful to identified clients, catch and block swarms of bots, and limit effects of dDOS.

  • hosts - Consolidates reputable hosts files, and merges them into a unified hosts file with duplicates removed.
  • The Public Suffix List - Mozilla's registry of public suffixes, under which Internet users can (or historically could) directly register names.
  • Certificate Transparency Subdomains - An hourly updated list of subdomains gathered from certificate transparency logs.
  • Subdomain blacklists: #1, #2, #3, #4.
  • xkeyscorerules100.txt - NSA's XKeyscore matching rules for TOR and other anonymity preserving tools.


  • Burner email providers - A list of temporary email providers. And its derivated Python module.
  • MailChecker - Cross-language temporary (disposable/throwaway) email detection library.
  • Temporary Email Address Domains - A list of domains for disposable and temporary email addresses. Useful for filtering your email list to increase open rates (sending email to these domains likely will not be opened).
  • gman - A ruby gem to check if the owner of a given email address or website is working for THE MAN (a.k.a verifies government domains). Good resource to hunt for potential government customers in your user base.

Reserved IDs



Another line of defense againsts spammers.

  • reCaptcha - reCaptcha is still an effective, economical and quick solution when your company can't afford to have a dedicated team to fight bots and spammers at internet scale.
  • Anti-captcha - Captchas solving service.


As the guardian of user's data, the IAM stack is deeply bounded by the respect of privacy.


As a central repository of user data, the IAM stack stakeholders have to prevent any leakage of business and customer data. To allow for internal analytics, anonymization is required.


The well-known European privacy framework

  • GDPR Tracker - Track the GDPR compliance of cloud services and subprocessors.
  • GDPR documents - Templates for personal use to have companies comply with "Data Access" requests.
  • Ship Your Enemies GDPR - Weaponizing GDPR to help you send your enemies a Data Requests designed to waste as much of their time as possible.
  • GDPR Enforcement Tracker - List of GDPR fines and penalties.


As stakeholder of the IAM stack, you're going to implement in the backend the majority of the primitives required to build-up the sign-up tunnel and user onboarding. This is the first impression customers will get from your product, and can't be overlooked: you'll have to carrefully design it with front-end experts. Here is a couple of guides to help you polish that experience.

Open-Source Projects

Competitive Analysis

A bunch of resources to keep track of the current status and progress of all companies operating in the domain.


  • - Cypherpunks overlaps with security. This wiki compiles information about the movement, its history and the people/events of note.
You can’t perform that action at this time.